Working Remotely – Do You Think You Are Secure?

The office space has changed over the last few decades: from cubicles
and open space to what The New York Times has described as a ‘palette of
places’. However, despite numerous benefits, cybersecurity of remote working
can be a headache for companies, their employers or clients.

Although the remote working is increasingly popular among
newer tech companies; older organisations such as Microsoft, IBM and General
Electric are also adopting these practices. There are various forces behind the
rise of remote working but one of the main reasons is that the workforce is
increasingly getting mobile so that work can be done from anywhere and at any
time.

A recent Gallupreport suggests that about 43% of employees worked remotely in 2016, while the globe-spanning 2017 study from Polycom reported that the remote workplace is on the rise: 62% of 25,000 surveyed workers reported regularly taking advantage of flexible working practices offered to them.

Besides typical remote working for a company, a variant of this
type of working also includes so-called ‘gig economy’ or ‘on-demand’ economy.
It denotes an environment in which temporary positions are common and
organisations contract with independent workers for short-term engagements. For
example, a study by Intuit predicted that by 2020, 40% of US workers would be
independent contractors.

Although beneficial, remote working comes with a number of cybersecurity issues. According to new figures from CybSafe, every third business in the past 12 months has suffered a data breach thanks to its remote workforce.

Remote working cybersecurity issues

The iPass survey ‘2018 Mobile Security Report’ found that the majority of Chief Information Officers (CIOs) suspected that their remote workers had been hacked in the last 12 months. Additionally, 67% of respondents believed that the most Wi-Fi related cybersecurity incidents occurred at coffee shops. Moreover, almost half of the CIOs surveyed said that Bring Your Own Device (BYOD) initiatives had increased cybersecurity risks.

Generally, the remote working is associated with three major
issues: inability to enforce cybersecurity, lack of commitment to ‘best
practices’ and risky behaviour of the mobile
workforce. In the concrete terms, the remote working cybersecurity issues are
associated with: (i) Wi-Fi security, (ii) hacking risks, associated with (iii)
coffee shops Internet access, (iv) the use of personal devices for work (BYOD
practices), and (v) use of free Virtual Private Networks (VPNs).

Although all of these cybersecurity issues are important, it seems that the weakest cybersecurity link is still the human factor. The most reported cybersecurity breaches of the remote workers arelinked to(i) opening emails and attachments from unknown or suspicious sources, (ii) using work computers and devices for personal use (e.g. private social media networking), (ii) allowing non-employees to borrow work computers and devices for personal use, (iii) hijacking wireless internet connections from neighbours, (iv) accessing work files with personal, non-IT-protected devices, and (v) using ‘shadow’ (unsanctioned) devices or applications.

Online
shopping: Nearly 40% of remote workers in the same respondent pool said they
use their work computers for Internet shopping. Half said they make personal
online purchases because their “company does not mind them doing so.”

Sharing
computers: 21% of users admitted that they allowed others to use their work
computers. More than one in four stated that they “don’t see anything wrong
with it.” And also believed that computer sharing “does not increase security
risks.”

Risky
wireless behaviour: One in 10 users surveyed stated that they have used a
neighbour’s Internet connection when working remotely. Most stated they did so
because “they were in a bind.” 18% stated that “my neighbour doesn’t know, so
it is OK.”

Personal
devices: Almost half reported that they used their own personal devices to
access corporate resources. Yet only half of those who used these devices said
they had antivirus or security software on the devices.

E-mail
downloading: 10 to 20 per cent of
users in India and Brazil admitted to opening unknown e-mail messages and their
attachments. Moreover, 38% of users reported that they click on unknown e-mail
messages but do not open attachments.

In a world where the average website is attacked 44 times per day, the possibility of remote working cybersecurity breaches is not too hard to imagine.

Tips for remote working cybersecurity

The cited Cisco study survey showed that nearly one-third
(29%) of users use the company computer for personal use. This not only affects
productivity but also poses greater cybersecurity threats. Considering this and
similar trends, the problem of cybersecurity for remote workers will
undoubtedly rapidly grow – unless organisations and their remote workers confront
the issues proactively.

Awareness is a crucial first step in safeguarding organisations.
While end users might be aware of the importance of security, this knowledge is
not sufficient to ensure safer behavioural habits among remote end users. “Just
because users think or say they are cognizant does not mean they know how to be
safe. An end user who is poorly informed about security best practices, yet
believes he is working safely, can actually exacerbate security risks for IT
organizations” – cautions Cisco study.

Hence, creating clear remote working policies and procedures,
which cover the use of all sanctioned devices and applications, is of the
utmost importance. It is equally important that the employees participate in policy creation. This will ensure that these
policies will be aptly enforced and accepted by the remote workers.

But the first thing
first: enforce multi-factor (at least, two-factor) authentication to control
access to the organisational information system.

Providing workers with (from the business standpoint), effective
but cyber-secure tools are also essential
for securing the remote working. This practice will eliminate a need for
‘shadow’ IT. Of course, business and
security software should be updated frequently.

Encrypting data on all devices in use is a must. In
addition, the access to company’s data should be allowed only to the approved
mobile devices – and only to data that employees need. Although sometimes it
can somewhat slow business processes, the use of VPNs in this regard can help tremendously.

It is, however, of the supreme importance that
organisational IT and cybersecurity teams nurture two-way communication with
end users in order to collaborate and educate them about possible threats and
risky behaviour. On the other hand, sharing their experience with the
cybersecurity team, end users can help in fine-tuning organisational strategies
for deploying appropriate technologies and non-technical safeguards.